1 / 20

Getting Started with GroundWork Monitor

Getting Started with GroundWork Monitor. GroundWork Monitor Enterprise Edition 6.2. Getting Started with GroundWork Monitor. Course Objectives for this Module. Integration with Active Directory Requirements Getting it going Setting up Groups and Roles Disabling default authentication

duke
Download Presentation

Getting Started with GroundWork Monitor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting Started with GroundWork Monitor GroundWork Monitor Enterprise Edition 6.2

  2. Getting Started with GroundWork Monitor Course Objectives for this Module Integration with Active Directory • Requirements • Getting it going • Setting up Groups and Roles • Disabling default authentication Integration with OpenLDAP • Requirements • Getting it going • Groups and Roles again LDAPS • Requirements • Setup • Certificates export and import Page 2

  3. GroundWork Monitor Enterprise Edition 6.2Module 8 : LDAP for AD, Open LDAP and LDAPS Setup

  4. LDAP Authentication Configuration Active Directory ResourceHow-to: Home > USING APPLICATIONS > Operational How To's • Some important points: • LDAP users cannot be assigned to roles using the portal administrator application • LDAP users do NOT need to be defined in the portal (this is different from GroundWork Monitor 5.x) • Configuration of LDAP parameters is done outside of the User Interface, and requires a restart of gwservices. • Role Names have changed • User is now GWUser • Operator is now GWOperator • Admin is now GWAdmin Page 4

  5. LDAP Authentication Configuration Active Directory: Requirements Required: • Active Directory domain controller to which you have access • Account with rights to browse the container in which you store the users: Example: ldapauth, context: cn=ldapauth,ou=GWUsers,dc=demo,dc=com Optional: • Roles in the portal for desired access levels • A container and groups set up to match roles in the portal Useful: • Adsiedit.msc Page 5

  6. LDAP Authentication Configuration Active Directory: Sample Set of Users and Groups Organizational Unit (OU) • GWUsers Groups in the OU • GWUser • GWAdmin • GWOperator Users and membership • ldapauth • admin GWAdmin • test1 GWOperator • test2 GWUser • test3 Page 6

  7. LDAP Authentication Configuration Active Directory: Getting it going Edit login-config.xml Copy and paste the section from the how-to Change the AD server name or IP address Change the LDAP admin user and password Change the contexts for the LDAP admin and users, roles Restart the portal (gwservices) Test the login Page 7

  8. LDAP Authentication Configuration Active Directory: Setting up groups and roles Add roles to the portal Example: Add Executive role Allow view to reports tab to Executive role Add groups to AD Example: Add Executive group Add user to Executive group Test the login Page 8

  9. LDAP Authentication Configuration Active Directory: Notes about Roles • Roles are additive • There is no (easy) way to change the automatic mapping of all AD users to the theGWUserrole in the portal. Restrict this role if you do not want all users to have the default apps. Page 9

  10. LDAP Authentication Configuration Disabling Default Authentication A good idea… because… LDAP Users are stored in portal with no password LDAP failure means all can login without password For instance is a user is deleted from LDAP… Easy to do (and undo): Edit login-config.xml: Comment out DBIdentityLoginModule section Change “sufficient” to “required” in SynchronizingLDAPExtLoginModule section Restart gwservices Page 10

  11. LDAP Authentication Configuration OpenLDAP Some important points: • OpenLDAP is hard to configure. • OpenLDAP allows anonymous browsing by default. This can be a bad thing. Always configure GWME to use a user to access containers. • The user must have access to browse the tree in the User and Role context containers Page 11

  12. LDAP Authentication Configuration OpenLDAP: Requirements Required: • An OpenLDAP server • Administrative access to OpenLDAP (for setting up Users and Roles) • A user account with rights to scan the containers for Users and Roles Useful: • LDAP browser Page 12

  13. LDAP Authentication Configuration OpenLDAP: Getting it Going Login to the OpenLDAP server and set up the Users container (default is ou=People) Set up the Roles container Add users to Users container Add users to roles It is a good idea to test your LDAP user login for browsing. Note: root user is cn=manager by default, and while the uid=root object is in the People container, the context is the default, for example: cn=manager,dc=groundworkers,dc=com Page 13

  14. LDAP Authentication Configuration OpenLDAP: Getting it Going Edit login-config.xml Paste in the same text from the how-to as you would for active directory Change the LDAP server from the default to your OpenLDAP server Change the bindDN to the LDAP auth user Change the bindCredential to the LDAP auth user’s password Change the contexts for users and roles, and make sure to change the format of the role filter and attributes. These differ from AD. Restart gwservices Test login Page 14

  15. LDAP Authentication Configuration OpenLDAP: Roles and Groups Setting up Role-based access in GWME and OpenLDAP is similar to the process with AD. The main differences are: OpenLDAP uses a separate container for the Roles (technically, groups), while AD typically places the groups in the same container as the users. To set up, match the roles in GWME to the roles in OpenLDAP as you would for AD, and add users to roles in OpenLDAP. Page 15

  16. LDAP Authentication Configuration LDAPS LDAPS is LDAP over SSL. Some important points: LDAPS requires a certificate. Administrators will likely already have this as a text files somewhere safe. This process goes through extracting the certificate, so care should be taken to use the correct parts of this procedure. Page 16

  17. LDAP Authentication Configuration LDAPS: Requirements An OpenLDAP server with LDAPS turned on. The OpenLDAP setup completed as above, but stop before you restart the portlal. Page 17

  18. LDAP Authentication Configuration LDAPS:Setup Edit login-config.xml Add the setting for SSL Change the LDAP server protocol and port Extract the cert from OpenLDAP (unless the administrator already has it) Run the openssl command Grab the cert from the output and place it in a text file (example ldaps.pem) Import the cert into JBoss Run the keytool command Restart gwservices Page 18

  19. LDAP Authentication Configuration Troubleshooting If the LDAP logins do not work: Check the framework.log file for startup errors. A simple problem with an XML tag can keep a module from loading and working. Enable debug for the org.jboss.securityclass, and look in the framework.log for JNDI error and debug messages. Errors will be in the form of java exceptions. Double check that you can log in with a LDAP client with the LDAP auth user and password, as entered in the login-config.xml. Also check a test user in user context. Log files in AD and OpenLDAP may also give clues. Page 19

  20. Thank you GroundWork Open Source, Inc. 139 Townsend Street, Suite 500 San Francisco, CA 94107 Phone: 415.992.4500 Website:www.gwos.com Email: info@gwos.com GroundWork Subscription Support: support.gwos.com Confidential - Do not distribute

More Related